4.3 Lab: Authentication Triage Desk

🎯 Lab Scenario

You are the tier-1 analyst on an Identity and Access Management (IAM) team. Three tickets have come in this morning. For each case you will: (1) identify the attack, (2) name the access-control or authentication weakness that enabled it, and (3) recommend one short-term and one long-term fix.

Commit your answer BEFORE clicking Reveal. That is the point of the lab.

Case 1: The 2 a.m. Finance Transfer

Ticket #IAM-308 — Suspicious Wire Transfer

Reporter: Controller, Finance

Description: A $340,000 wire transfer was initiated at 2:14 a.m. local time from the corporate banking portal. It used the credentials of Jessica M., a finance staff accountant. Jessica says she was asleep and did not initiate the transfer.

Login telemetry:

Login event: Finance Banking Portal
  Time:         02:14:03 local
  User:         [email protected]
  Source IP:    193.x.x.x (geolocation: Bulgaria)
  Device:       Chrome on Windows 11 (NOT a managed endpoint)
  MFA:          Approved via SMS code
  Jessica's phone number was ported to a new SIM 4 hours earlier.

Jessica confirms she lost signal on her phone around 10 p.m. but assumed it was carrier trouble.

Your Analysis (Case 1) Commit your three answers before clicking Reveal.

1. Attack name:

2. Root-cause authentication weakness:

3. Short-term + long-term fixes:

Case 2: The Vacation Policy Approval

Ticket #IAM-311 — Policy Change in HR System

Reporter: Director of HR

Description: The company vacation-carryover policy was silently changed in the HR system over the weekend to increase maximum carryover from 40 hours to 400 hours. The change was submitted, reviewed, and approved by a single user: “hradmin_service.”

Account audit on hradmin_service:

Account: hradmin_service
  Type:          Service account (no human owner)
  Created:       2018
  Password:      Not rotated since creation (2,100+ days)
  Used by:       HR automation scripts (documented)
                 HR weekend on-call (undocumented, per interview)
  Privileges:    HR Administrator + Policy Approver
  MFA:           Exempt (service account)
Your Analysis (Case 2) Commit your three answers before clicking Reveal.

1. Name the two security principles being violated:

2. Why does this make forensic attribution hard:

3. Short-term + long-term fixes:

Case 3: The SSO Session Explosion

Ticket #IAM-317 — Impossible Travel Alert Storm

Reporter: SIEM (automated)

Description: Over a 90-minute window, 14 different employees generated “impossible travel” alerts in the SSO provider. Each employee had a session established from the corporate office (approved) and, within the same hour, a new authenticated session established from a South Asian IP address — without any re-prompt for MFA.

Investigation notes:

Common factor across all 14 users:
  - All attended a “virtual benefits training” on Tuesday
  - The training link was:   hxxps://benefits-portal[.]acmecorpenroll[.]info
  - The REAL benefits portal: https://benefits.acmecorp.com
  - The training link proxied the login to the real SSO and
    captured the resulting SAML session tokens.
  - SSO sessions have a 24-hour TTL with no re-auth requirement.
Your Analysis (Case 3) Commit your three answers before clicking Reveal.

1. Attack name:

2. Why did MFA fail to stop this:

3. Short-term + long-term fixes:

📚 How This Prepares You for the AP Exam

All three cases share the same analytical structure: identify the attack, locate the single authentication or authorization weakness that made it possible, and recommend a layered fix. This “attack → weakness → layered fix” chain is the backbone of AP Cyber scenario FRQ-style questions. Practicing it in writing — with full sentences — is the rehearsal you want.

AP Cybersecurity · Unit 4 · Lesson 4.3 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]